DLS parameter substitution not working

I’m working on an authentication proxy, and I’m getting an error when trying to use parameter expansion in my dls.

I’m using an image based off of amazon/opendistro-for-elasticsearch:1.12.0 for elasticsearch, and one based on amazon/opendistro-for-elasticsearch-kibana:1.12.0 for kibana.
In my kibana.yml I have

elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles","x-proxy-ext-space-ids","x-proxy-ext-org-ids"]

opendistro_security.auth.type: "proxy"
opendistro_security.proxycache.user_header: "x-proxy-user"
opendistro_security.proxycache.roles_header: "x-proxy-roles"

and in my elasticsearch config.yml I have:

      proxy_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: extended-proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
            attr_header_prefix: "x-proxy-ext-"
        authentication_backend:
          type: noop

then in my roles.yml I have:

cf_user:
  reserved: false
  hidden: false
  cluster_permissions:
  - "read"
  - "cluster:monitor/nodes/stats"
  - "cluster:monitor/task/get"
  index_permissions:
  - index_patterns:
    - "logs-app-*"
    dls: "{\"bool\": {\"should\": [{\"terms\": { \"@cf.space_id\": [${attr.proxy.space-ids}] }}, {\"terms\": {\"@cf.org_id\": [${attr.proxy.org-ids}]}}]}}"
    fls:
    allowed_actions:
    - "read"
  tenant_permissions: []
  static: false

When I try to load the Discover tab I get an error with a stack trace. I believe the important piece is here:

Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token '$': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
 at [Source: (String)"{"bool": {"should": [{"terms": { "@cf.space_id": [${attr.proxy.space_ids}] }}, {"terms": {"@cf.org_id": [${attr.proxy.org_ids}]}}]}}"; line: 1, column: 52]

Looking at the kibana logs, I can see that the x-proxy-ext-org-ids header and x-proxy-ext-space-ids headers are being set.

Am I missing some magic to make the parameter expansion work in dls?

@ben can you put " around {attr.proxy.space-ids} and {attr.proxy.org-ids}
Also I believe you could replace the line like so:
dls: ‘{“bool”: {“should”: [{“terms”: { “@cf.space_id”: ["{attr.proxy.space-ids}"] }}, {"terms": {"@cf.org_id": ["{attr.proxy.org-ids}"]}}]}}’

Not sure if the square brackets () are needed around parameters.